You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Luke Scharf <ls...@ee.vt.edu> on 2002/02/19 17:07:39 UTC
Apache + mod_auth_pam + WebDAV
I'm attempting to authenticate certain directories using Linux's PAM
facility. Ideally, we'd like to allow users to edit their
$HOME/public_html directories via WebDAV I'm aware of the security
risks, and we've carefully considered them in light of our situation.
Anyway, I've set up an isolated test-directory and can connect to it via
cadaver, so WebDAV seems to be working. Now, I want to authenticate
users before they can edit files.
My <directory> entry looks like this:
<Directory "/var/www/mod_dav">
DAV on
Options Indexes FollowSymlinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
SetHandler auth_pam-handler
AuthPAM_Enabled on
AuthPAM_FallThrough off
AuthType Basic
AuthName "WebDAV Secure Area"
require valid-user
</Directory>
Whenever I attempt to authenticate a user, the logs/error_log reports:
[Tue Feb 19 10:42:05 2002] [error] (13)Permission denied: access to
/xxxxx/ failed for 127.0.0.1, reason: Critical error - immediate abort
[Tue Feb 19 10:42:05 2002] [crit] [client 127.0.0.1] configuration
error: couldn't check user. No user file?: /xxxxx/
and cadaver reports:
Could not contact server:
500 Internal Server Error
I get the same behavior with DAV disabled.
Any suggestions?
Thanks in advance!
-Luke
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Mark Constable <ma...@renta.net>.
On Wed, 20 Feb 2002 02:12, Owen Boyle wrote:
> Luke Scharf wrote:
> > [Tue Feb 19 10:42:05 2002] [error] (13)Permission denied: access to
> > /xxxxx/ failed for 127.0.0.1, reason: Critical error - immediate abort
> > [Tue Feb 19 10:42:05 2002] [crit] [client 127.0.0.1] configuration
> > error: couldn't check user. No user file?: /xxxxx/
>
> Where is your AuthUserFile? You know, the file with all the users and
> passwords?
I've never used mod_auth_pam but one possibility is that it needs to
access /etc/shadow to get at the password value so apache needs to
run with the same group GID as whatever /etc/shadow is set to.
--markc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Luke Scharf <ls...@ee.vt.edu>.
On Tue, 2002-02-19 at 11:12, Owen Boyle wrote:
> Where is your AuthUserFile? You know, the file with all the users and
> passwords?
Do you need an AuthUserFile when you're authenticating against PAM? The
reason I'm using mod_auth_pam is so that it will automagically work with
our existing users.
If an AuthUserFile is used, can it use the system password? That way,
the user only need to keep one password from going stale.
Thanks!
-Luke
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Some advice...
Posted by Owen Boyle <ob...@bourse.ch>.
Daniel Giovannoni wrote:
>
> Hello all,
>
> I was wondeirng what books people would suggest out there, to get a full
> comprehensive understanding of Apache?
I can't see further than "Apache - the definitive guide" by Ben and
Peter Laurie, published by O'Reilly - check out http://www.oreilly.com/
for details.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: Some advice...
Posted by rc <e_...@yahoo.com>.
I am using Professional Apache by Peter Wainwright. Seems pretty good for a
beginner to intermediate level. It has lots of tips about extending Apache,
configuring with PHP and also Mysql. However, the author assumes you already
know much about the system.
-----Original Message-----
From: Daniel Giovannoni [mailto:tech@ct5.com]
Sent: Tuesday, February 19, 2002 10:29 AM
To: users@httpd.apache.org
Subject: Some advice...
Hello all,
I was wondeirng what books people would suggest out there, to get a full
comprehensive understanding of Apache?
I am running on Red Hat, I am proficient with Linux and Apache for the most
part. Though I just haven't dove in yet, but that time is coming... I guess
is what I need more than anything, is a real good index... I have never
bought a book having to do with computers that I have read straight through,
I do not enjoy punishment. But, I usually judge the quality of a book by how
well the index is organized... So, if you guys have any suggestions or
comments -- I would love to hear them....
Thanks all
Daniel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Some advice...
Posted by Daniel Giovannoni <te...@ct5.com>.
Hello all,
I was wondeirng what books people would suggest out there, to get a full
comprehensive understanding of Apache?
I am running on Red Hat, I am proficient with Linux and Apache for the most
part. Though I just haven't dove in yet, but that time is coming... I guess
is what I need more than anything, is a real good index... I have never
bought a book having to do with computers that I have read straight through,
I do not enjoy punishment. But, I usually judge the quality of a book by how
well the index is organized... So, if you guys have any suggestions or
comments -- I would love to hear them....
Thanks all
Daniel
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Mark Constable <ma...@renta.net>.
On Wed, 20 Feb 2002 03:55, Luke Scharf wrote:
> On Tue, 2002-02-19 at 11:58, Mark Constable wrote:
> > I've never used mod_auth_pam but one possibility is that it needs to
> > access /etc/shadow to get at the password value so apache needs to
> > run with the same group GID as whatever /etc/shadow is set to.
>
> The user accounts that we're trying to use are delivered via nisplus.
> The encrypted passwords are not in /etc/shadow. PAM stacked on top of
> nisplus works great for our mail transfer agent (courier), but the "500
> internal server error" has me confused.
Ah, then check the UID/GID of courier and, at least for a test, make
apache run as the same user as courier. Smells like a perms prob to me.
--markc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Luke Scharf <ls...@ee.vt.edu>.
On Tue, 2002-02-19 at 16:03, Luke Scharf wrote:
> On Tue, 2002-02-19 at 13:39, Mark Constable wrote:
> > On Wed, 20 Feb 2002 03:55, Luke Scharf wrote:
> > > The user accounts that we're trying to use are delivered via nisplus.
> > > The encrypted passwords are not in /etc/shadow. PAM stacked on top of
> > > nisplus works great for our mail transfer agent (courier), but the "500
> > > internal server error" has me confused.
> >
> > Ah, then check the UID/GID of courier and, at least for a test, make
> > apache run as the same user as courier. Smells like a perms prob to me.
>
> This has no effect. I have also tried several configurations for
> /etc/pam.d/httpd - everything from permit-all to the same configuration
> that works for Courier's imap server to an edited version of
> /etc/pam.d/ssh. Any other suggestions?
>
> What has to be in place in order for mod_auth_pam to do it's thing?
I found the problem. /etc/pam.d/httpd had permissions of 600. When I
change permissions to 644 mod_auth_pam works like a charm!
Thank you all for the suggestions!
-Luke
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Luke Scharf <ls...@ee.vt.edu>.
On Tue, 2002-02-19 at 13:39, Mark Constable wrote:
> On Wed, 20 Feb 2002 03:55, Luke Scharf wrote:
> > The user accounts that we're trying to use are delivered via nisplus.
> > The encrypted passwords are not in /etc/shadow. PAM stacked on top of
> > nisplus works great for our mail transfer agent (courier), but the "500
> > internal server error" has me confused.
>
> Ah, then check the UID/GID of courier and, at least for a test, make
> apache run as the same user as courier. Smells like a perms prob to me.
This has no effect. I have also tried several configurations for
/etc/pam.d/httpd - everything from permit-all to the same configuration
that works for Courier's imap server to an edited version of
/etc/pam.d/ssh. Any other suggestions?
What has to be in place in order for mod_auth_pam to do it's thing?
Thanks in advance!
-Luke
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Luke Scharf <ls...@ee.vt.edu>.
On Tue, 2002-02-19 at 11:58, Mark Constable wrote:
> > Where is your AuthUserFile? You know, the file with all the users and
> > passwords?
>
> I've never used mod_auth_pam but one possibility is that it needs to
> access /etc/shadow to get at the password value so apache needs to
> run with the same group GID as whatever /etc/shadow is set to.
The user accounts that we're trying to use are delivered via nisplus.
The encrypted passwords are not in /etc/shadow. PAM stacked on top of
nisplus works great for our mail transfer agent (courier), but the "500
internal server error" has me confused.
-Luke
--
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache + mod_auth_pam + WebDAV
Posted by Owen Boyle <ob...@bourse.ch>.
Luke Scharf wrote:
>
> I'm attempting to authenticate certain directories using Linux's PAM
> facility. Ideally, we'd like to allow users to edit their
> $HOME/public_html directories via WebDAV I'm aware of the security
> risks, and we've carefully considered them in light of our situation.
>
> Anyway, I've set up an isolated test-directory and can connect to it via
> cadaver, so WebDAV seems to be working. Now, I want to authenticate
> users before they can edit files.
>
> My <directory> entry looks like this:
> <Directory "/var/www/mod_dav">
> DAV on
> Options Indexes FollowSymlinks MultiViews
> AllowOverride All
> Order allow,deny
> Allow from all
> SetHandler auth_pam-handler
> AuthPAM_Enabled on
> AuthPAM_FallThrough off
> AuthType Basic
> AuthName "WebDAV Secure Area"
> require valid-user
> </Directory>
>
> Whenever I attempt to authenticate a user, the logs/error_log reports:
>
> [Tue Feb 19 10:42:05 2002] [error] (13)Permission denied: access to
> /xxxxx/ failed for 127.0.0.1, reason: Critical error - immediate abort
> [Tue Feb 19 10:42:05 2002] [crit] [client 127.0.0.1] configuration
> error: couldn't check user. No user file?: /xxxxx/
>
Where is your AuthUserFile? You know, the file with all the users and
passwords?
Rgds,
Owen Boyle
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org